• Subject: Re: FTP through a firewall
  • From: Mark Bauman <mlbauman@xxxxxxxxxxxx>
  • Date: Wed, 29 Jul 1998 12:00:19 -0500 (CDT)


I am posting the attached answer from Kent Hofer of IBM Rochester who
responded to my query about whether he could answer the following
question on midrange:  

Excerpts from mail: 29-Jul-98 Re: FTP through a firewall Kent Hofer (4803+0) 

>> Sender: owner-midrange-l@midrange.com 

>> Would like to know the filter rules needed to allow FTP access to an AS/400 
>> from non-secure side of firewall. 

>> I assume that these would be the same as any FTP Server, so any internet 
>> links that apply would also be appreciated. 

> Art Tostaine, Jr. 

I'll assume that the person asking the question knows what they are
doing with securing ftp and securing the system that they are allowing
access to (I don't want to get into a discussion on security policy). 
To allow access to an internal system implies that the internal system
has an internet routeable address, and that the firewall is set up to
perform packet forwarding.  Let's assume that the ftp server is at
address  When a packet is filtered, the rules are scanned from
top to bottom, so the ordering of the rules is VERY important.  To keep
filter rule files readable, I suggest adding rules like this at the end
of the file, before the catch-all deny rules, and putting some "block
comments" around them so you can find them easily. 

For the purpose of my answer I'll list the filter rules in this format: 

action source@ sourceMask dest@ destMask sourcePort destPort protocol
direction routing interface logging 

And, the filter rules would be: 

permit ge/1024 eq/21 TCP/ACK
inbound route non-secure log=n 
permit ge/1024 eq/21 TCP inbound
route non-secure log=y 
permit ge/1024 eq/21 TCP
outbound route secure log=n 

(The above rules allow all inbound packets to the ftp server to flow in
across the non-secure and then out across the secure to the target
machine.  The protocol field, TCP/ACK covers all packets that have the
ACK flag on in the TCP header, which is all packets except the first
requesting SYN packet.  The TCP rule covers all TCP headers with or
without the ACK flag.  Thus, these rules let you log one message in the
log for the entire connection.) 

Now, you need rules for the ftp server machine to send ack's back to the
client out on the internet. 

permit eq/21 ge/1024 TCP/ACK
inbound route secure log=n 
permit eq/21 ge/1024 TCP/ACK
outbound route non-secure log=n 

That takes care of the ftp control channel.  When a get or a put is done
from most clients, you will end up having the ftp server establish a
connection BACK to the client, that originates from source port 20.  So,
we need rules to allow that connection as well, and I'll assume that we
do not want to log this connection, thus a group of only 2 rules this

permit eq/20 ge/1024 TCP inbound
route secure log=n 
permit eq/20 ge/1024 TCP
outbound route secure log=n 

These previous two rules let the TCP connection request and any
subsequent ACKs to flow from the server back to the client.  Lastly, we
need rules to allow the ACKs from the client back to the server for the
data connection. 

permit ge/1024 eq/20 TCP/ACK
inbound route non-secure log=n 
permit ge/1024 eq/20 TCP/ACK
outbound route secure log=n 

There are ways to combine some of these rules using "both" on the
direction and interface fields but that makes it more difficult to
explain and probably more prone to errors when copying a set of rules
like this to something else, so I prefer to list them out separately. 

I just made these rules up by thinking thru them, I didn't go try
them...  As always, I'll add a plug here for our AS/400 firewall web
site where we have some common configuration scenarios with filter rule
examples etc...  Take a look at http://www.as400.ibm.com/firewall and
browse thru the sections, especially the "Tech Tips" section. 

Hope that helps. 

Mark L Bauman  (for Kent Hofer) 
AS/400 Software Communications Development 

| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com

This thread ...

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].